Hacking drones by exploiting design flaws

At the Virus Bulletin 2015 conference, the security researcher Oleg Petrovsky detailed methods that can be used to hack drones with pre-programmed routes.

The drone industry is growing at a rapid pace, the aerospace research company Teal Group estimated that sales of military and civilian drones will total over $89 billion in the next 10 years. The possible fields of application for UAVs are unlimited in both military and civil industries.

The rapid diffusion of drones raises many concerns related to their security and the threat they could represent to the privacy.

We have discussed several times about the possibility to hack these complex systems and related consequences.

At the Virus Bulletin 2015 conference, the security researcher Oleg Petrovsky of HP Security Research detailed methods that can be used to hack the unmanned aerial vehicles (UAVs).

Oleg Petrovsky demonstrated how to hack a drone by targeting its flight controller, the expert has analyzed the controllers for various multi-rotor drones and discovered various of weaknesses that could be exploited in cyber attacks.

Despite there are numerous models of drones available on the market, they usually are composed of the same basic components, including motors, batteries, sensors, a GPS unit, a gyroscope, a remote control radio receiver, electronic speed controllers (ESC), and the flight controller.

Petrovsky focused its research on attacks targeting the flight controller, which are systems composed of several sensors and a processing unit.

The majority of drones uses the same flight controllers such as the ArduPilotMega (APM) and Pixhawk from 3D Robotics, MultiWii, OpenPilot, and DJI Naza.

A potential attacker can focus its efforts in hacking these controllers in order to target a wide range of models.

Petrovsky utilized for its test an ArduPilotMega (APM) flight controller on a drone built by himself and a Mission Planner, which is a ground station application.

The researcher detailed the following attack scenarios against drones with pre-programmed routes using the ground station software:

1. Capturing, modifying, and injecting a data stream into a telemetry link connection over a serial port.
2. Spoofing the connection to the ground station to take complete control of the interface.

The ground station application is a crucial component of the flight of a drone, it enables communication with the aerial vehicle and allows the user to wirelessly control it.

The researcher highlighted the lack of authentication in the protocols used to remotely control the drones could be exploited by attackers to gain control of the vehicles.

The attacker can use a malicious software installed on the computer running the ground station to tap into the telemetry link.

The expert also explained that telemetry feeds for wireless remote data transmission, and monitoring of the drones could be easily intercepted and modified by attacks interfering with flight routes of the vehicle.

Petrovsky remarked that attacks he demonstrated aren’t caused by vulnerabilities in the system, rather he exploited design flaws in the UAV systems.

“Securing the firmware on embedded UAV modules, using secure bootloaders, and implementing authentication and encryption mechanisms,” could be some points that…

…an attacker can bypass any security measures, as nothing can be completely secured; similarly “Drones don’t necessarily have to be unhackable the goal should be to make them difficult and expensive to hack.” 

During his speech, Petrovsky showed how his drone’s propellers can easily shred a stack of papers even at half of the speed needed to take off from the ground.

“We have to realize that paying the cost for securing firmware and embedded devices upfront can prove much cheaper than trying to mitigate a disaster resulting from inadequate security measures — especially in the case of UAVs,” the researcher said.

Petrovsky also demonstrated attacks against bootloaders, which are not protected by mechanisms to secure the code such as the encryptions and digital signature of the firmware code.

Despite the numerous research conducted in hacking drones, Petrovsky explained that there aren’t significant improvements for the security of drones because there haven’t been any real-world attacks on commercial vehicles.

Pierluigi Paganini

(Security Affairs – drones hacking, security)